Deploy monitoring agents

Use the Deploy Monitoring Agents tool to automatically activate GIM clients, install S-TAPs, and begin monitoring database traffic.

The deploy monitoring agents tool simplifies the process of establishing a Guardium deployment. Building on existing Guardium installation manager (GIM) infrastructure, the deploy monitoring agents tools helps you quickly find database servers, install monitoring agents (S-TAPs), and configure inspection engines for your databases. In addition, the tool provides a centralized view for tracking and reviewing deployment status.

Prerequisites

Review prerequisites and restrictions before you being deploying monitoring agents.

Before using the deploy monitoring agents tool to install S-TAPs and configure inspection engines on your database servers, verify the following prerequisites.

The target S-TAP installation directory must be empty or not exist.
You cannot install an S-TAP into a directory that already contains any files.
Review S-TAP prerequisites
Windows: Prerequisites: Installing S-TAP
Linux-UNIX: S-TAP installation prerequisites
Install GIM clients in listener mode
Install GIM clients in listener mode on one or more database servers in your environment. To install the GIM client in listener mode on Windows systems, omit the --host parameter. To install the GIM client in listener mode on systems such as AIX and Linux, omit the --sqlguardip parameter. For more information about GIM listener mode, see GIM server allocation.
Important: You may need to open a port between the GIM client on the database server and the Guardium system where you will run the deploy monitoring agents tool. The default port 8445 is used unless you specify a different port when installing the GIM client.
Upload GIM S-TAP modules to the Guardium system
Run the deploy monitoring agents tool as an administrative user from any Guardium system that is not configured as an aggregator. Before you begin, use the following procedure to upload GIM S-TAP modules to the Guardium system.
  1. Navigate to Manage > Module Installation > Upload Modules.
  2. Click Choose file and select the module you want to install.
  3. Click Upload to upload the module to the Guardium system. After uploading, the module will be listed in the Import uploaded modules table.
  4. In the Import uploaded modules table, click the check box next to the module you want to install. The module will be imported and made available for installation. After the module is imported, the Upload Modules page will reload and the module will no longer appear in the Import uploaded modules table.

For information about S-TAP offerings and supported platforms, see System requirements and supported platforms for IBM Security Guardium.

Verify that all discoverable database servers are running
Inspection engines can be automatically configured for some databases, including the following:
  • DB2 for Linux, UNIX, and Windows
  • Informix
  • Microsoft SQL Server
  • MySQL
  • Oracle
  • Postgre SQL
  • Sybase
  • Teradata

To allow the auto-configuration of inspection engines, verify that databases servers are running before deploying monitoring agents.

For more information about automatically discovering database instances, see Discover database instances; Windows: Discover database instances.

Deploying agents

Learn how to quickly deploy S-TAPs and configure inspection engines for monitoring database traffic.

Before you begin

Run the deploy monitoring agents tool as an administrative user from any Guardium system that is not configured as an aggregator. Verify the following before you begin:
  • GIM clients are installed in listener mode.
  • GIM S-TAP modules are imported to the Guardium system.
  • Discoverable database servers are running.
For more information, see Prerequisites.

Procedure

  1. Open the deploy monitoring agents tool by navigating to Setup > Smart Assistant > Deploy Monitoring Agents.
  2. In the Identify database servers section, use the IP addresses field to specify a range of IP address to search for GIM clients in listener mode.
    Use the add icon to specify additional IP addresses. Include wildcard (*) or range (-) characters to expand the search. For example, 10.0.0-5.*. Use commas to separate complete IP addresses or ranges. For example, 9.70.145.165,9.70.145-148.165,9.70.145.*.
    Important: Scanning a large number of IP addresses is time intensive and may time-out before the scan completes. Use the IP addresses fields to define a narrow range of IP addresses where you expect to find GIM clients in listener mode.
  3. Click Discover to begin scanning for GIM clients in listener mode.
    Tip: By default, the discovery of GIM clients and the deployment of monitoring agents (S-TAPs) is completed in two separate steps: discovery, then deployment. This allows you to manually select the database servers where you want to install S-TAPs, as described in the following steps.

    However, it is possible to streamline the process by automatically installing S-TAPs on all compatible GIM clients that are discovered while scanning IP addresses. To enable the automated mode, click customize to open the Customize settings dialog and select Automatically deploy agents on discovered database servers. When using the automated mode, after specifying the IP addresses to scan, simply click the Discover and Deploy button.

  4. In the Database server status section, select the database servers where you would like to deploy monitoring agents and click Deploy Agents to open the Configure monitoring agents dialog.
  5. From the Configure monitoring agents dialog, review and adjust the installation parameters. Click Deploy to begin installing monitoring agents.

    The default parameters should work well for most new deployments. However, you may want to adjust the following settings for your specific environment.

    Windows installation directory

    Specify an installation directory for S-TAPs deployed on Windows database servers. The parameter is ignored and default installation paths are used when deploying on other platforms. For more information about S-TAP installation parameters, see S-TAP command line and GIM installation parameters and S-TAP install script parameters.

    Assign a Guardium collector

    Select Use enterprise load balancing to automatically assign S-TAPs based on the relative load or availability of Guardium collectors in a centrally-managed environment. For more information, see Enterprise load balancing.

    Select Specify collector to assign S-TAPs to a specific Guardium collector.

  6. In the Database server status section, use the S-TAP installation status column to monitor the progress of module installation.
    A status of Installed indicates successful and complete installation.

What to do next

If the S-TAP installation status of a database server is marked Failed, click the more information icon to learn more about the problem. If a database server disappears from the Database server status after attempting to deploy monitoring agents, click Error log (if a log is available) to learn more about the problem.

Tip: The Error log captures issues related to the Deploy monitoring agents tool. For example, if Deploy monitoring agents cannot find a module required for installation, a message is added to the Error log. Other errors are recorded in component-specific logs and made available for investigation by clicking the more information icon in the S-TAP installation status column.

After successfully deploying monitoring agents, you are ready to monitor traffic on your database servers and begin meeting security compliance requirements. To configure compliance monitoring, navigate to Setup > Smart Assistant > Compliance monitoring and see Compliance monitoring for more information.